stackoom
  简体   繁体   中英

Azure Service Management API authentication using Azure Active Directory Oauth

 原文  2014-09-23 20:05:53       azure/ oauth/ cloud

Question

I'd like to authenticate to the Azure Service Management API using Azure AD through curl.

I set up an application within my default directory. In this free trial subcription that's the only directory I have.

When I target the oauth token endpoint I receive a JWT.

curl --data "grant_type=client_credentials&client_id=<my_client_id>&client_secret=<my_encoded_secret>&resource=https%3A%2F%2Fmanagement.core.windows.net" https://login.windows.net/<my_tenant_id>/oauth2/token

But when I use that token to list my subscription details I receive an error:

curl -H "x-ms-version: 2014-06-01" \
     -H "Authorization: Bearer <my_token>" \
     https://management.core.windows.net/<my_subscription_id>/

    <Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
      <Code>ForbiddenError</Code>
      <Message>The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.</Message>
    </Error>

I have granted permissions to the Service Management API for the application as "Delegated permissions", because "Application permissions" are not available.

在此处输入图片说明

What am I missing?

2 answers

solution1
 1 ACCPTED  2014-09-28 05:21:45

This isn't possible due to the Application Permissions: 0 setting for the Service Management API. The client_credentials grant type uses credentials from the application (client_id and client_secret), and since the application does not have permissions for this API the call fails.

Since the Service Management API will not allow application permissions of any kind, we must use the authorization_code grant type or some other method to obtain a user token.

solution2
 0  2021-03-03 14:22:52

It turns out the Azure Service Management API permissions cannot be configured through the Azure Portal API.

The full solition is here:

https://blog.jongallant.com/2021/02/azure-rest-apis-postman-2021/

The solution lies in using the Azure CLI to create a service principal that already has the rights assigned.

az ad sp create-for-rbac

You can go directly to https://shell.azure.com/ and execute the command.

Be sure to save the resulting credential data securely.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using Azure Active Directory as an OAUTH2 Authentication service for a Spring-boot REST service Azure WCF Service with Azure Active Directory Authentication OAuth2 Authentication at Azure API Management Authentication using Azure Active Directory Azure Function authentication using Azure Active Directory Azure Active Directory Authentication Error in Azure Management Library Azure Active Directory for Web API and clients using OAuth for multiple environments Request Azure Active Directory token with limited scopes for Azure Service Management API Azure App Service Authentication with Active Directory Azure Active Directory Oauth 2.0 Client Credentials Flow with API Management Access Token issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM